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Abstract 


Trusted Platform Module (TPM) Services is a new feature set in 
Microsoft®Windows Vista™ used to administer the TPM Security Hardware in 
your computer. TPM Services architecture provides the infrastructure for 
hardware-based security by providing access to and assuring application-level 
sharing of the TPM. This guide includes system requirements and step-by-step 
instructions on how to use TPM Services in a test lab environment. 
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Windows Vista Beta 2 Trusted 
Platform Module Services Step by 
Step Guide 


This Step-by-Step Guide provides the instructions necessary to use Trusted 
Platform Module (TPM) Services in a test lab environment. 


What is Trusted Platform Module 
Services? 


Trusted Platform Module (TPM) Services is a new feature set in 
Microsoft®Windows Vista™ and Windows Server® Code Name "Longhorn" 
used to administer the TPM security hardware in your computer. TPM Services 
architecture provides the infrastructure for hardware-based security by 
providing access to and application-level sharing of the TPM. 


What is a Trusted Platform Module? 


A TPM is a microchip designed to provide basic security-related functions, 
primarily involving encryption keys. The TPM is usually installed on the 
motherboard of a computer or laptop, and communicates with the rest of the 
system using a hardware bus. 


Computers that incorporate a TPM have the ability to create cryptographic 
keys and encrypt them so that they can only be decrypted by the TPM. This 
process, often called "wrapping" or "binding" a key, can help protect the key 
from disclosure. Each TPM has a master "wrapping" key, called the Storage 
Root Key (SRK), which is stored within the TPM itself. The private portion of a 
key created in a TPM is never exposed to any other component, software, 
process or person. 


Computers that incorporate a TPM can also create a key that has not only 
been wrapped, but also tied to certain platform measurements. This type of 
key can only be unwrapped when those platform measurements have the 
same values that they had when the key was created. This process is called 
"sealing" the key to the TPM. Decrypting it is called "unsealing." The TPM can 
also seal and unseal data generated outside of the TPM. With this sealed key 
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and software like BitLlocker™ Drive Encryption, you can lock data until specific 
hardware or software conditions are met. 


With a TPM, private portions of key pairs are kept separated from the memory 
controlled by the operating system. Keys can be sealed to the TPM, and 
certain assurances about the state of a system—that define its 
"trustworthiness'"—can be made before the keys are unsealed and released for 
use. Because the TPM uses its own internal firmware and logic circuits for 
processing instructions, it does not rely upon the operating system and is not 
exposed to external software vulnerabilities. 


Who should use this guide? 

This guide is intended for the following audiences: 

e IT planners and analysts who are evaluating the product. 
e Early adopters. 


e Security architects who are responsible for implementing trustworthy 
computing. 


In this guide 


e Requirements for TPM Services 
e Key TPM Services scenarios 


e Scenario 1: Initialize the TPM 


e Scenario 2: Turn off and clear TPM 
e Scenario 3: Block and allow TPM commands 


e Logging bugs and feedback 


e Additional Resources 


Requirements for TPM Services 


We recommend that you first use the steps provided in this guide in a test lab 
environment. A Step-by-Step guide is not necessarily meant to be used to 
deploy Windows Vista or Windows Server "Longhorn" features without 
accompanying documentation (as listed in the Additional Resources section) 
and should be used with discretion as a stand-alone document. 


Preparing the test lab for TPM Services 


The lab configuration needed for testing TPM Services is simply a client 
computer connected to an isolated network through a common hub or Layer 2 
switch. The client must be running Windows Vista and be equipped with a 
compatible TPM (version 1.2) and Trusted Computing Group (TCG)-compliant 
BIOS. A portable USB memory drive is also recommended. Private IP 
addresses should be used throughout the test lab configuration. 


Key scenarios for TPM Services 


This guide covers the following scenarios for TPM Services: 
e Scenario 1: Initialize the TPM 


e Scenario 2: Turn off and clear the TPM 


e Scenario 3: Block and allow TPM commands 


2 Note 
The three scenarios included in this guide are intended to help 
administrators become familiar with the TPM Services feature set of 
Windows Vista. They include the basic information and procedures 
administrators need to start configuring and deploying TPM- 
equipped computers within their networks. Information and 
procedures for advanced or customized TPM Services 
configurations are not included in this guide. 


Scenario 1: Initialize the TPM 


This scenario details how to initialize the TPM on your computer. The 
initialization process involves turning on the TPM, and then setting ownership 
of the TPM. This scenario is written for local administrators responsible for 
setting up TPM-equipped computers. 


Remote initialization of the TPM is supported in Windows Vista; however, a 
physical presence is normally required to initialize a computer's TPM. Ifa 
computer is shipped with the TPM initialized, no physical presence is required. 
Information about and procedures for remote initialization are not included in 
this guide. TPM Services exposes a WMI class that allows the procedures in 
this scenario to be performed by means of scripting. Information about 
scripting those tasks is also not included in this guide. 


Steps for initializing the TPM 
To initialize the TPM on your computer, complete the following steps: 


e Step 1: Initialize the TPM 


e Step 2: Set ownership of the TPM 


Step 1: Initialize the TPM 


The TPM must be initialized before it can be used to help secure your 
computer. Step 1 covers the procedure for initializing a computer's TPM. 


Computers manufactured to meet Windows Vista requirements include pre- 
boot BIOS functionality that makes it easy to initialize a computer's TPM 
through the TPM Initialization Wizard. When you start the TPM Initialization 
Wizard, you can determine whether the computer's TPM has been initialized or 
not. 


The following procedure steps you through the process of starting the TPM 
Initialization Wizard and initializing the TPM. 


Note 


To perform the following procedure, you must be logged into a TPM- 
equipped computer with administrator credentials. 


> To start the TPM Initialization Wizard and initialize the TPM 


1. Click Start, click All Programs, click Accessories, and then click 
Run. 


2. Type tpm.msc in the Open box, and then click Enter. 


3. Ifa User Account Control dialog box appears, verify that the 
proposed action is what you requested, and then click Continue. For 
more information, see Additional resources at the end of this 
document. 


4. The TPM Management Console is displayed. 


5. Under Actions, click Initialize TPM. The TPM Initialization Wizard is 
started. 


e If the TPM is turned off, the TPM Initialization Wizard will display the 
Turn on the TPM Security Hardware dialog box. This dialog box 
provides guidance for initializing the TPM. 


e If the TPM is already initialized, the TPM Initialization Wizard will 
display the Create the TPM owner password dialog box. See 
Step 2: Set ownership of the TPM later in this guide. 


e If the TPM Initialization Wizard detects a BIOS that does not meet 
Windows Vista requirements, you will not be able to continue with 
the wizard, and you will be alerted to consult the computer 
manufacturer's documentation for instructions for initializing the 
TPM. 


6. Click Shutdown (or Restart), and then follow the BIOS screen 
prompts. 


Note BIOS screen prompts and controls will vary by computer 
manufacturer. 


7. After restart, an acceptance prompt is displayed to ensure that a user 
is a physically present user, and that it is not malicious software 
attempting to initialize the TPM. 


8. If a User Account Control dialog box appears, verify that the 
proposed action is what you requested, and then click Continue. For 
more information, see Additional resources at the end of this 
document. 


9. Click Automatically prepare the TPM for ownership 
(recommended). 


10. Continue with Step 2. 


Step 2: Set ownership of the TPM 


The TPM must also be owned before it can be used to help secure your 
computer. By setting ownership of the TPM, you are assigning a password that 
helps ensure only the authorized TPM owner can access and manage the TPM. 
The TPM password is also used turn off the TPM if you no longer want to use it, 
or to clear the TPM if the computer is to be recycled. 


Use the following procedure to take ownership of the TPM. 


The following procedure steps you through the process of setting ownership of 
the TPM using the TPM Initialization Wizard. 
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wf Note 


To perform the following procedure, you must be logged into a TPM- 
equipped computer with local administrator credentials. 


> To set ownership of the TPM 


1. 


If you have already initialized the TPM, start the TPM Initialization 
Wizard. If you need to review the steps to do so, see Step 1: Initialize 
the TPM earlier in this guide. 


From the Create the TPM owner password dialog box, select 
Automatically create the password (recommended). 


From the Save your TPM owner password dialog box, click Save 
the password. 


In the Save As dialog box, select a location to save the password, and 
then click Save. The password file is saved as computer_name.tpm. 


Important We highly recommend saving the TPM owner password to 
removable media. 


Click Print the password if you want to print a hard copy of your 
password. 


Important We highly recommend printing a hard copy of your TPM 
owner password and storing it in a safe location. 


Click Initialize. 


Note The process of initializing the TPM might take a few minutes to 
complete. 


Click Close. 


Caution Do not lose your password. If you do, you will be unable to 
make administrative changes until you clear the TPM. 


Scenario 2 Turn off and clear TPM 


This scenario covers two common tasks that administrators would perform 
during a re-configuration or recycling of a TPM-equipped computer. These 
tasks are turning off the TPM and clearing the TPM. 
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Turn off the TPM 


Some administrators might decide that not every TPM-equipped computer in 
their network needs have the additional protection a TPM provides. In this 
situation, it is best to ensure that the TPMs in those computers are turned off. 
The following procedure steps you through the process of turning off the TPM. 


@% Note 
A physical presence is not required to turn off the TPM. 


To perform the following procedure, you must be logged onto a TPM- 
equipped computer with local administrator credentials. 


> To turn off the TPM 


1. Click Start, click All Programs, click Accessories, and then click 
Run. 


2. Type tpm.msc in the Open box, and then click Enter. The TPM 
Management Console is displayed. 


3. Ifa User Account Control dialog box appears, verify that the 
proposed action is what you requested, then click Continue. For more 
information, see Additional resources at the end of this document. 


4. Under Actions, click Turn TPM Off. 


5. From the Turn off the TPM Security Hardware dialog box, select a 
method for entering your password and turning off the TPM: 


e If you have the removable media onto which you saved your TPM 
owner password, insert it and click | have a backup file with the 
TPM owner password. From the Select backup file with the 
TPM owner password dialog box, use Browse to point to 
the .tpm file saved on your removable media and click Open, and 
then click Turn TPM Off. 


e If you do not have the removable media onto which you saved your 
password, click | want to type the TPM owner password. From 
the Type your TPM owner password dialog box, enter your 
password (including dashes) and click Turn TPM Off. 


e If you do not know your TPM owner password, click | don't have 
the TPM owner password, and follow the instructions provided to 
turn off the TPM without entering the password. 
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Note You can turn off the TPM and perform a limited number of 
management tasks without entering the TPM owner password by 
just being present at the computer. 


The status of your TPM is displayed under Status on the TPM 
Management console. 


Clear the TPM 


Clearing the TPM cancels the TPM ownership and turns the TPM off. This 
should be done when a TPM-equipped client computer is recycled, or when the 
TPM owner has lost the TPM owner password. The following procedure steps 
you through the process of clearing the TPM. 


@% Note 
A physical presence is not required to clear the TPM. 


To perform the following procedure, you must be logged onto a TPM- 
equipped computer with local administrator credentials. 


> To clear the TPM 


1. 


Click Start, click All Programs, click Accessories, and then click 
Run. 


Type tpm.msc in the Open box, and then click Enter. The TPM 
Management Console is displayed. 


If a User Account Control dialog box appears, verify that the 
proposed action is what you requested, then click Continue. For more 
information, see Additional resources at the end of this document. 


Caution Clearing the TPM resets it to factory defaults and turns it off. 
You will lose all created keys and data protected by those keys. 


Under Actions, click Clear TPM. If the TPM is off, follow the procedure 
in Step 1: Initialize the TPM to re-initialize it before clearing it. 


From the Clear the TPM Security Hardware dialog box, select a 
method for entering your password and clearing the TPM: 


e If you have the removable media onto which you saved your TPM 
owner password, insert it and click | have a backup file with the 
TPM owner password. From the Select backup file with the 
TPM owner password dialog box, use Browse to point to 
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the .tpm file saved on your removable media and click Open, and 
then click Clear TPM. 


e If you do not have the removable media onto which you saved your 
password, click | want to type the TPM owner password. From 
the Type your TPM owner password dialog box, enter your 
password (including dashes) and click Clear TPM. 


e If you do not know your TPM owner password, click | don't have 
the TPM owner password, and follow the instructions provided to 
clear the TPM without entering the password. 


Note You can clear the TPM and perform a limited number of 
management tasks without entering the TPM owner password by 
just being present at the computer. 


The status of your TPM is displayed under Status on the TPM 
Management console. 


Scenario 3: Block and allow TPM 
commands 


This scenario details the procedure to block or allow a TPM command. This is a 
task that local administrators can perform during the setup or re-configuration 
of a TPM-equipped computer. TPM commands are managed through a child 
node of the TPM Management console named Command Management. Here, 
administrators can explore the commands available to the TPM. They can also 
block and allow those commands within the constraints of the Local Machine 
and Group Policy settings. The following procedure steps you through blocking 
and unblocking TPM commands. 


Note 


To perform the following procedure, you must be logged into a TPM- 
equipped computer with local administrator credentials. 


> To block and allow TPM commands 


1. Click Start, click All Programs, click Accessories, and then click 
Run. 


2. If a User Account Control dialog box appears, verify that the 
proposed action is what you requested, and then click Continue. For 
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more information, see Additional resources at the end of this 
document. 


3. Type tpm.msc in the Open box, and then click Enter. The TPM 
Management console is displayed. 


4. Click Command Management in the console tree. A list of TPM 
commands is displayed. 


5. Select a command from the list that you want to block or allow. 


6. Under Actions, click either Block Selected Command or Allow 
Selected Command as needed. 


Note Local administrators cannot allow TPM commands blocked 
through Group Policy. Commands on the default block list for the TPM 
MMC also cannot be allowed until the Group Policy settings are 
changed to ignore the default block list. 


Logging bugs and feedback 


Because TPM Services is a new feature set in Windows Server "Longhorn" and 
Windows Vista, we are very interested in your feedback on your experiences 
with TPM Services, problems you encountered and the usefulness of the 
documentation. 


When you log bugs, use the instructions on the Microsoft Connect Web site 
(http://go.microsoft.com/fwlink/?Linkld=49779). We are also interested in 
requests and general feedback about TPM Services. 


General feedback and requests for TPM Services can be sent to 


tominfo@microsoft.com. 


Additional resources 


The following resources provide additional information about TPM Services: 


e If you need product support, see the Microsoft Connect Web site 
(http://go.microsoft.com/fwlink/?Linkld=49779). 


e To access newsgroups for TPM Services, follow the instructions that are 
provided on the Microsoft Connect Web site 
(http://go.microsoft.com/fwlink/?Linkld=50067). 
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e The BitLocker Drive Encryption team maintains a team blog on the 
Microsoft TechNet Web site (http://go.microsoft.com/fwlink/?Linkld=66461). 


Technology Adoption Program support 


If you are a beta tester and part of the special Technology Adoption Program 
(TAP) beta program, you can also contact your appointed Microsoft 
development team member for assistance. 


